Similar to my test lab for OSPFv2, I am testing OSPFv3 for IPv6 with the following devices: Cisco ASA, Cisco Router, Fortinet FortiGate, Juniper SSG, Palo Alto, and Quagga Router. I am showing my lab network diagram and the configuration commands/screenshots for all devices. Furthermore, I am listing some basic troubleshooting commands. In the last section, I provide a Tcpdump/Wireshark capture of an initial OSPFv3 run.

I am not going into deep details of OSPFv3 at all. But this lab should give basic hints/examples for configuring OSPFv3 for all of the listed devices.

Lab

This is my test lab. All devices are directly connected via a layer 2 switch:

General Information

Everything takes place in area 0.0.0.0 (backbone area)

Juniper SSG should be the DR: interface priority set to 100.

Palo Alto should be the BDR: interface priority set to 50.

Router-ID is always set manually according to my IPv4 sheme: 172.16.1.x, where x = the interface-ID from the IPv6 addresses (from ::1 to ::6).

Cost for the interfaces as seen in the figure.

Passive-interface on all user/access interfaces.

Redistribution of the remote access VPN clients on the Cisco ASA (AnyConnect).

No authentication is used .

The following devices are in alphabetic order. Beneath each screenshot is a detailed description of the the configuration that is shown.

During the tests, a single Cisco AnyConnect client was connected and therefore redistributed with a /128 IPv6 address prefix. The Quagga router was added to this lab after most of the listings were saved. That is: The Quagga router (172.16.1.8) is not shown on any other firewalls/routers.

Cisco ASA

The Cisco ASA 5505 is running version 9.2(4). Following are the configuration and monitoring screenshots:

Routing table incl. the static IPv6 route to the currently connected VPN client.

This are the relevant CLI commands for the OSPFv3 config:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

interfaceVlan130

ipv6 address2003:51:6012:130::1/64

ipv6 address autoconfig

ipv6 enable

ipv6 ospf cost100

ipv6 ospf1area0

ipv6 ospf encryption null

!

ipv6 router ospf1

router-id172.16.1.3

passive-interfaceinsideASA130

passive-interfaceinsideASA131

log-adjacency-changes

redistribute static metric1000

!

While this CLI commands can be used to show the OPSFv3 runtime values:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

fd-wv-fw03# show ipv6 ospf

Routing Process"ospfv3 1"with ID172.16.1.3

Event-log enabled,Maximum number of events:1000,Mode:cyclic

It isan autonomous system boundary router

Redistributing External Routes from,

static with metric1000

Initial SPF schedule delay5000msecs

Minimum hold timebetween two consecutive SPFs10000msecs

Maximum waittimebetween two consecutive SPFs10000msecs

Minimum LSA interval5secs

Minimum LSA arrival1000msecs

LSA group pacing timer240secs

Interfaceflood pacing timer33msecs

Retransmission pacing timer66msecs

Number of external LSA1.Checksum Sum0x4dac

Number of areas inthisrouter is1.1normal0stub0nssa

Graceful restart helper support disabled

Reference bandwidth unit is100mbps

Area BACKBONE(0)

Number of interfaces inthisarea is2

SPF algorithm executed11times

Number of LSA19.Checksum Sum0xa3f76

Number of DCbitless LSA6

Number of indication LSA0

Number of DoNotAge LSA0

Flood list length0

fd-wv-fw03#

fd-wv-fw03#

fd-wv-fw03# show ipv6 ospf neighbor

Neighbor IDPri State Dead TimeInterfaceIDInterface

172.16.1.11002WAY/DROTHER0:00:36880outside

172.16.1.250FULL/DR0:00:3416outside

172.16.1.51FULL/BDR0:00:303outside

172.16.1.612WAY/DROTHER0:00:316outside

fd-wv-fw03#

fd-wv-fw03#

fd-wv-fw03# show ipv6 ospf database

OSPFv3 Router with ID(172.16.1.3)(Process ID1)

Router LinkStates(Area0)

ADV Router Age Seq# Fragment ID Link count Bits

172.16.1.116080x8000012211None

172.16.1.26360x8000012401E

172.16.1.314610x8000010201E

172.16.1.5740x8000010201None

172.16.1.613710x8000012201None

Net LinkStates(Area0)

ADV Router Age Seq# Link ID Rtr count

172.16.1.26340x80000122165

Link(Type-8)LinkStates(Area0)

ADV Router Age Seq# Link ID Interface

172.16.1.34300x8000000815insideASA130

172.16.1.116530x8000011d880outside

172.16.1.213100x8000011e16outside

172.16.1.39450x8000010114outside

172.16.1.5740x800001013outside

172.16.1.614410x8000011d6outside

Intra Area Prefix LinkStates(Area0)

ADV Router Age Seq# Link ID Ref-lstype Ref-LSID

172.16.1.116480x8000024210x20010

172.16.1.26370x8000012410x20010

172.16.1.26290x800001294587520x200216

172.16.1.26370x8000011f5898240x2002257

172.16.1.39460x8000010100x20010

172.16.1.513270x8000000600x20010

172.16.1.613700x8000012020x20010

Type-5ASExternal LinkStates

ADV Router Age Seq# Prefix

172.16.1.36060x800000012003:51:6012:133:feed:cafe:0:10/128

fd-wv-fw03#

fd-wv-fw03#

fd-wv-fw03# show ipv6 ospf database self-originate

OSPFv3 Router with ID(172.16.1.3)(Process ID1)

Router LinkStates(Area0)

ADV Router Age Seq# Fragment ID Link count Bits

172.16.1.314950x8000010201E

Link(Type-8)LinkStates(Area0)

ADV Router Age Seq# Link ID Interface

172.16.1.34640x8000000815insideASA130

172.16.1.39790x8000010114outside

Intra Area Prefix LinkStates(Area0)

ADV Router Age Seq# Link ID Ref-lstype Ref-LSID

172.16.1.39790x8000010100x20010

Type-5ASExternal LinkStates

ADV Router Age Seq# Prefix

172.16.1.36390x800000012003:51:6012:133:feed:cafe:0:10/128

fd-wv-fw03#

fd-wv-fw03#

Cisco Router

I am running a Cisco 2811 router with version 15.1(4)M9. The configuration commands are the following: (Just for fun I set the OSPF process to “17”.)

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

interfaceFastEthernet0/0

ipv6 address2003:51:6012:101::5/64

ipv6 enable

ipv6 nd ra suppress

ipv6 ospf17area0.0.0.0

!

interfaceFastEthernet0/1

ipv6 address2003:61:6012:102::1/64

ipv6 enable

ipv6 ospf17area0.0.0.0

!

ipv6 router ospf17

router-id172.16.1.5

auto-cost reference-bandwidth10000

passive-interfacedefault

no passive-interfaceFastEthernet0/0

And the show commands:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

fd-wv-ro03#show ipv6 ospf

Routing Process"ospfv3 17"with ID172.16.1.5

Event-log enabled,Maximum number of events:1000,Mode:cyclic

Initial SPF schedule delay5000msecs

Minimum hold timebetween two consecutive SPFs10000msecs

Maximum waittimebetween two consecutive SPFs10000msecs

Minimum LSA interval5secs

Minimum LSA arrival1000msecs

LSA group pacing timer240secs

Interfaceflood pacing timer33msecs

Retransmission pacing timer66msecs

Number of external LSA1.Checksum Sum0x004DAC

Number of areas inthisrouter is1.1normal0stub0nssa

Graceful restart helper support enabled

Reference bandwidth unit is10000mbps

Area BACKBONE(0.0.0.0)

Number of interfaces inthisarea is2

SPF algorithm executed23times

Number of LSA19.Checksum Sum0x098B75

Number of DCbitless LSA6

Number of indication LSA0

Number of DoNotAge LSA0

Flood list length0

fd-wv-ro03#

fd-wv-ro03#

fd-wv-ro03#show ipv6 ospf neighbor

Neighbor IDPri State Dead TimeInterfaceIDInterface

172.16.1.1100FULL/DROTHER00:00:35880FastEthernet0/0

172.16.1.250FULL/DR00:00:3216FastEthernet0/0

172.16.1.31FULL/DROTHER00:00:3814FastEthernet0/0

172.16.1.61FULL/DROTHER00:00:306FastEthernet0/0

fd-wv-ro03#

fd-wv-ro03#

fd-wv-ro03#show ipv6 ospf database

OSPFv3 Router with ID(172.16.1.5)(Process ID17)

Router LinkStates(Area0.0.0.0)

ADV Router Age Seq# Fragment ID Link count Bits

172.16.1.16220x8000012311None

172.16.1.214550x8000012401E

172.16.1.32430x8000010301E

172.16.1.58920x8000010201None

172.16.1.63890x8000012301None

Net LinkStates(Area0.0.0.0)

ADV Router Age Seq# Link ID Rtr count

172.16.1.214530x80000122165

Link(Type-8)LinkStates(Area0.0.0.0)

ADV Router Age Seq# Link ID Interface

172.16.1.51310x800000074Fa0/1

172.16.1.16670x8000011E880Fa0/0

172.16.1.23300x8000011F16Fa0/0

172.16.1.317660x8000010114Fa0/0

172.16.1.58920x800001013Fa0/0

172.16.1.64590x8000011E6Fa0/0

Intra Area Prefix LinkStates(Area0.0.0.0)

ADV Router Age Seq# Link ID Ref-lstype Ref-LSID

172.16.1.16620x8000024410x20010

172.16.1.214550x8000012410x20010

172.16.1.214480x800001294587520x200216

172.16.1.214550x8000011F5898240x2002257

172.16.1.317660x8000010100x20010

172.16.1.51310x8000000700x20010

172.16.1.63880x8000012120x20010

Type-5ASExternal LinkStates

ADV Router Age Seq# Prefix

172.16.1.314260x800000012003:51:6012:133:FEED:CAFE:0:10/128

fd-wv-ro03#

fd-wv-ro03#

fd-wv-ro03#show ipv6 ospf database self-originate

OSPFv3 Router with ID(172.16.1.5)(Process ID17)

Router LinkStates(Area0.0.0.0)

ADV Router Age Seq# Fragment ID Link count Bits

172.16.1.58980x8000010201None

Link(Type-8)LinkStates(Area0.0.0.0)

ADV Router Age Seq# Link ID Interface

172.16.1.51370x800000074Fa0/1

172.16.1.58980x800001013Fa0/0

Intra Area Prefix LinkStates(Area0.0.0.0)

ADV Router Age Seq# Link ID Ref-lstype Ref-LSID

172.16.1.51370x8000000700x20010

fd-wv-ro03#

fd-wv-ro03#

fd-wv-ro03#show ipv6 route

IPv6 Routing Table-default-15entries

Codes:C-Connected,L-Local,S-Static,U-Per-user Static route

B-BGP,HA-Home Agent,MR-Mobile Router,R-RIP

I1-ISIS L1,I2-ISIS L2,IA-ISIS interarea,IS-ISIS summary

D-EIGRP,EX-EIGRP external,NM-NEMO,ND-Neighbor Discovery

l-LISP

O-OSPF Intra,OI-OSPF Inter,OE1-OSPF ext1,OE2-OSPF ext2

ON1-OSPF NSSA ext1,ON2-OSPF NSSA ext2

S::/0[1/0]

via2003:51:6012:101::1

C2003:51:6012:101::/64[0/0]

via FastEthernet0/0,directly connected

L2003:51:6012:101::5/128[0/0]

via FastEthernet0/0,receive

O2003:51:6012:110::/64[110/200]

via FE80::219:E2FF:FEA1:F98A,FastEthernet0/0

O2003:51:6012:120::/64[110/110]

via FE80::B60C:25FF:FE05:8E10,FastEthernet0/0

O2003:51:6012:121::/64[110/110]

via FE80::B60C:25FF:FE05:8E10,FastEthernet0/0

O2003:51:6012:123::/64[110/110]

via FE80::B60C:25FF:FE05:8E10,FastEthernet0/0

O2003:51:6012:124::/64[110/110]

via FE80::B60C:25FF:FE05:8E10,FastEthernet0/0

O2003:51:6012:125::/64[110/110]

via FE80::B60C:25FF:FE05:8E10,FastEthernet0/0

O2003:51:6012:130::/64[110/200]

via FE80::2A94:FFF:FEA8:772D,FastEthernet0/0

OE22003:51:6012:133:FEED:CAFE:0:10/128[110/1000]

via FE80::2A94:FFF:FEA8:772D,FastEthernet0/0

O2003:51:6012:160::/64[110/200]

via FE80::A5B:EFF:FE3C:115D,FastEthernet0/0

C2003:61:6012:102::/64[0/0]

via FastEthernet0/1,directly connected

L2003:61:6012:102::1/128[0/0]

via FastEthernet0/1,receive

LFF00::/8[0/0]

via Null0,receive

fd-wv-ro03#

fd-wv-ro03#

Fortinet FortiGate

Unfortunately the FortiGate has no possibility to configure anything of OSPFv3 via the GUI. Everything must be done via the CLI. (And this is called a “Next-Generation Firewall”???)

These are the configuration commands for my lab:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

config router ospf6

set auto-cost-ref-bandwidth10000

set router-id172.16.1.6

config area

edit0.0.0.0

next

end

config ospf6-interface

edit"wan1"

set interface"wan1"

next

edit"fg-trust"

set interface"fg-trust"

next

end

set passive-interface"fg-trust"

And the following shows the get commands:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

fd-wv-fw04# get router info6 ospf status

Routing Process"OSPFv3 (*null*)"with ID172.16.1.6

Process uptime is50days22hours5minutes

SPF schedule delay5secs,Hold timebetween SPFs10secs

Minimum LSA interval5secs,Minimum LSA arrival1secs

Number of incomming current DDexchange neighbors0/5

Number of outgoing current DDexchange neighbors0/5

Number of external LSA1.Checksum Sum0x4BAD

Number of AS-Scoped Unknown LSA0

Number of LSA originated23

Number of LSA received37398

Number of areas inthisrouter is2

Area BACKBONE(0)

Number of interfaces inthisarea is2(2)

SPF algorithm executed15times

Number of LSA13.Checksum Sum0x5C289

Number of Unknown LSA0

Area0.0.0.51(Inactive)

Number of interfaces inthisarea is0(0)

SPF algorithm executed33times

Number of LSA0.Checksum Sum0x0000

Number of Unknown LSA0

fd-wv-fw04#

fd-wv-fw04#

fd-wv-fw04# get router info6 ospf neighbor

OSPFv3 Process(*null*)

Neighbor IDPri State Dead TimeInterfaceInstance ID

172.16.1.11002-Way/DROther00:00:36wan10

172.16.1.250Full/DR00:00:31wan10

172.16.1.312-Way/DROther00:00:32wan10

172.16.1.51Full/Backup00:00:37wan10

fd-wv-fw04#

fd-wv-fw04#

fd-wv-fw04# get router info6 ospf database

OSPFv3 Router with ID(172.16.1.6)(Process*null*)

Link-LSA(Interfacewan1)

LinkState IDADV Router Age Seq# CkSum Prefix

0.0.3.112172.16.1.114960x8000011e0x62471

0.0.0.16172.16.1.211580x8000011f0x42931

0.0.0.14172.16.1.35780x800001020xf0841

0.0.0.3172.16.1.517220x800001010xf2b91

0.0.0.6172.16.1.612870x8000011e0xf4861

Link-LSA(Interfacefg-trust)

LinkState IDADV Router Age Seq# CkSum Prefix

0.0.0.63172.16.1.612610x8000011e0xca191

Router-LSA(Area0.0.0.0)

LinkState IDADV Router Age Seq# CkSum Link

0.0.0.1172.16.1.114510x800001230x197c1

0.0.0.0172.16.1.24840x800001250x2b241

0.0.0.0172.16.1.310730x800001030x95621

0.0.0.0172.16.1.517220x800001020xea191

0.0.0.0172.16.1.612170x800001230x84d41

Network-LSA(Area0.0.0.0)

LinkState IDADV Router Age Seq# CkSum

0.0.0.16172.16.1.24820x800001230xb390

Intra-Area-Prefix-LSA(Area0.0.0.0)

LinkState IDADV Router Age Seq# CkSum Prefix Reference

0.0.0.1172.16.1.114910x800002440x6d9e2Router-LSA

0.0.0.1172.16.1.24840x800001250x265e5Router-LSA

0.7.0.0172.16.1.24770x8000012a0xb7641Network-LSA

0.9.0.0172.16.1.24840x800001200x4fc31Network-LSA

0.0.0.0172.16.1.35780x800001020x972f1Router-LSA

0.0.0.0172.16.1.59610x800000070x518b1Router-LSA

0.0.0.2172.16.1.612160x800001210x422d1Router-LSA

AS-external-LSA

LinkState IDADV Router Age Seq# CkSum

0.0.0.0172.16.1.33210x800000020x4badE2

fd-wv-fw04#

fd-wv-fw04#

fd-wv-fw04# get router info6 ospf route

OSPFv3 Process(*null*)

Codes:C-connected,D-Discard,O-OSPF,IA-OSPF inter area

N1-OSPF NSSA external type1,N2-OSPF NSSA external type2

E1-OSPF external type1,E2-OSPF external type2

Destination Metric

Next-hop

C2003:51:6012:101::/6410

directly connected,wan1,Area0.0.0.0

O2003:51:6012:110::/64110

via fe80::219:e2ff:fea1:f98a,wan1,Area0.0.0.0

O2003:51:6012:120::/6420

via fe80::b60c:25ff:fe05:8e10,wan1,Area0.0.0.0

O2003:51:6012:121::/6420

via fe80::b60c:25ff:fe05:8e10,wan1,Area0.0.0.0

O2003:51:6012:123::/6420

via fe80::b60c:25ff:fe05:8e10,wan1,Area0.0.0.0

O2003:51:6012:124::/6420

via fe80::b60c:25ff:fe05:8e10,wan1,Area0.0.0.0

O2003:51:6012:125::/6420

via fe80::b60c:25ff:fe05:8e10,wan1,Area0.0.0.0

O2003:51:6012:130::/64110

via fe80::2a94:fff:fea8:772d,wan1,Area0.0.0.0

E22003:51:6012:133:feed:cafe:0:10/12810/1000

via fe80::2a94:fff:fea8:772d,wan1

C2003:51:6012:160::/64100

directly connected,fg-trust,Area0.0.0.0

O2003:61:6012:102::/64110

via fe80::21a:6cff:fea1:2b98,wan1,Area0.0.0.0

fd-wv-fw04#

fd-wv-fw04#

Furthermore, the GUI can at least show the routing table:

Juniper ScreenOS

My SSG 5 runs at version 6.3.0r19. Unlike OSPF for IPv4, in which the “enable” checkmark for each interface is inside the interface configuration section, OSPFv3 is completely configured inside the virtual routers menu:

Set the Router ID. This must be done BEFORE any routing protocol is activated.

Create/Edit the OSPFv3 instance.

Enabling OSPFv3.

Add the area.

And add the interfaces.

OSPFv3 MUST be enabled on each interface, too.

Enabling of OSPFv3 and setting all other values such as cost, priority, or passive mode.

Wireshark Dump

I captured all OSPF packets while I restarted (reload) the Cisco router. The pcapng therefore contains all five types of OSPFv3 packets (Hello, DBD, LSR, LSU, LSAack). Here it is for download:

As an example, these are the messages after the Cisco router has booted (red marked area). After some database description packets (DBD), the router requested (LSR) many details. After that, the designated router (DR) sent many link-state updates (LSU) which contain the link-state advertisements (LSA). The yellow highlighted section shows a LSA for one of the intra-area-prefix LSAs: